Cryptology ePrint Archive: Report 2018/844

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove

Jean Paul Degabriele and Marc Fischlin

Abstract: Ever since the foundational work of Goldwasser and Micali, simulation has proven to be a powerful and versatile construct for formulating security in various areas of cryptography. However security definitions based on simulation are generally harder to work with than game based definitions, often resulting in more complicated proofs. In this work we challenge this viewpoint by proposing new simulation-based security definitions for secure channels that in many cases lead to simpler proofs of security. We are particularly interested in definitions of secure channels which reflect real-world requirements, such as, protecting against the replay and reordering of ciphertexts, accounting for leakage from the decryption of invalid ciphertexts, and retaining security in the presence of ciphertext fragmentation. Furthermore we show that our proposed notion of channel simulatability implies a secure channel functionality that is universally composable. To the best of our knowledge, we are the first to study universally composable secure channels supporting these extended security goals. We conclude, by showing that the Dropbear implementation of SSH-CTR is channel simulatable in the presence of ciphertext fragmentation, and therefore also realises a universally composable secure channel. This is intended, in part, to highlight the merits of our approach over prior ones in admitting simpler security proofs in comparable settings.

Category / Keywords: Secure Channels, Ciphertext Fragmentation, Universal Composability, Subtle Authenticated Encryption, SSH

Original Publication (in the same form): IACR-ASIACRYPT-2018

Date: received 7 Sep 2018, last revised 10 Sep 2018

Contact author: jpdega at gmail com,marc fischlin@cryptoplexity de

Available format(s): PDF | BibTeX Citation

Version: 20180914:151825 (All versions of this report)

Short URL: ia.cr/2018/844


[ Cryptology ePrint archive ]